RID is a configurable tool which uses intrusion fingerprints to track down

compromised hosts.  RID can remotely detect Stacheldraht, TFN, Trinoo and TFN2k
if the attacker did not change the default ports.

7 files changed, 70 insertions, 0 deletions

diff --git a/security/rid/Makefile b/security/rid/Makefile
new file mode 100644
index 000000000000..d80be02afc82
--- /dev/null
+++ b/security/rid/Makefile
@@ -0,0 +1,34 @@
+# ex:ts=8
+# Ports collection makefile for:  ddos_scan
+# Version required:		  1.6
+# Date created:			  Sun Feb 12, 2000
+# Whom:				  David O'Brien (obrien@NUXI.com)
+#
+# $FreeBSD$
+#
+
+DISTNAME=	rid-1_0
+PKGNAME=	rid-1.0
+CATEGORIES=	security
+MASTER_SITES=	http://packetstorm.securify.com/distributed/  \
+		ftp://ftp.ntua.gr/pub/security/technotronic/denial/
+EXTRACT_SUFX=	.tgz
+
+MAINTAINER=	obrien@FreeBSD.org
+
+WRKSRC=		${WRKDIR}/${PKGNAME}
+ALL_TARGET=	rid
+
+pre-configure:
+	@${PERL} -pi -e 's:config.txt:${PREFIX}/etc/rid.conf:g'  \
+		${WRKSRC}/config.h
+
+do-install:
+	@${INSTALL_PROGRAM} ${WRKSRC}/rid ${PREFIX}/sbin
+	@${INSTALL_DATA} ${WRKSRC}/config.txt ${PREFIX}/etc/rid.conf
+.if !defined(NOPORTDOCS)
+	@${MKDIR} ${PREFIX}/share/doc/rid
+	@${INSTALL_MAN} ${WRKSRC}/README ${PREFIX}/share/doc/rid
+.endif
+
+.include <bsd.port.mk>
diff --git a/security/rid/distinfo b/security/rid/distinfo
new file mode 100644
index 000000000000..0c4cf2f8e097
--- /dev/null
+++ b/security/rid/distinfo
@@ -0,0 +1 @@
+MD5 (rid-1_0.tgz) = e954c79898465597d0da783738460554
diff --git a/security/rid/files/patch-Makefile b/security/rid/files/patch-Makefile
new file mode 100644
index 000000000000..3403d9a62d28
--- /dev/null
+++ b/security/rid/files/patch-Makefile
@@ -0,0 +1,11 @@
+--- Makefile.orig	Tue Feb  8 18:23:08 2000
++++ Makefile	Sun Feb 13 18:32:40 2000
+@@ -1,6 +1,6 @@
+ 
+-CC=gcc
+-LIBS=-lsocket -lnsl -lpcap -ll -ly
++#CC=gcc
++LIBS=-lpcap
+ SRCS = sender.c main.c pinger.c y.tab.c lex.yy.c listen.c
+ OBJS = sender.o main.o pinger.o y.tab.o lex.yy.o listen.o
+ CFLAGS=-g
diff --git a/security/rid/files/patch-parser.l b/security/rid/files/patch-parser.l
new file mode 100644
index 000000000000..4b89a6c774b5
--- /dev/null
+++ b/security/rid/files/patch-parser.l
@@ -0,0 +1,8 @@
+--- parser.l.orig	Fri Jan 28 11:37:32 2000
++++ parser.l	Sun Feb 13 18:32:00 2000
+@@ -1,4 +1,5 @@
+ %{
++#include <sys/types.h>
+ #include <stdio.h>
+ #include <stdlib.h>
+ #include <strings.h>
diff --git a/security/rid/pkg-comment b/security/rid/pkg-comment
new file mode 100644
index 000000000000..6ab1a04a5fbb
--- /dev/null
+++ b/security/rid/pkg-comment
@@ -0,0 +1 @@
+Configurable remote distributed denial of service tool detector
diff --git a/security/rid/pkg-descr b/security/rid/pkg-descr
new file mode 100644
index 000000000000..7621341b0587
--- /dev/null
+++ b/security/rid/pkg-descr
@@ -0,0 +1,12 @@
+RID - Remote Intrusion Detection
+--------------------------------
+RID is a configurable tool which uses intrusion fingerprints to track down
+compromised hosts.  RID can remotely detect Stacheldraht, TFN, Trinoo and TFN2k
+if the attacker did not change the default ports.
+
+After a compromise, this information can often be turned into a "fingerprint"
+of the intrusion.  RID is designed to be capable of accurately specifying this
+"fingerprint" with little knowledge of network programming.
+
+RID is based off an extension of ngrep (network grep).  It is different because
+it extends ngrep into a probing tool.
diff --git a/security/rid/pkg-plist b/security/rid/pkg-plist
new file mode 100644
index 000000000000..38b5075ac07a
--- /dev/null
+++ b/security/rid/pkg-plist
@@ -0,0 +1,3 @@
+sbin/rid
+etc/rid.conf
+share/doc/rid/README